CVE-2020-7021Log File Information Exposure in Elasticsearch

CWE-532Log File Information ExposureCWE-200Sensitive Information Exposure7 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
0.3%
top 47.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Elasticsearch
Timeline
PublishedFeb 10
Latest updateMay 24

Description

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDelastic/elasticsearch7.0.07.10.0+1
CVEListV5elastic/elasticsearchbefore 7.10.0 and 6.8.14

🔴Vulnerability Details

4
GHSA
Insertion of Sensitive Information into Log File in Elasticsearch2022-05-24
OSV
Insertion of Sensitive Information into Log File in Elasticsearch2022-05-24
OSV
CVE-2020-7021: Elasticsearch versions before 72021-02-10
CVEList
CVE-2020-7021: Elasticsearch versions before 72021-02-10

📋Vendor Advisories

2
Red Hat
elasticsearch: Information disclosure via audit logging with emit_request_body option enabled2021-02-10
Microsoft
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive2021-02-09
CVE-2020-7021 — Log File Information Exposure | cvebase